{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# PyMISP - An interactive tutorial: Basics"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Connecting to MISP\n",
    "### Your configuration"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "# The URL of the MISP instance to connect to\n",
    "misp_url = 'http://127.0.0.1:8080/'\n",
    "# Can be found in the MISP web interface under \n",
    "# http://+MISP_URL+/users/view/me -> Authkey\n",
    "misp_key = 'BSip0zVadeFDeolkX2g7MHx8mrlr0uE04hh6CQj0'\n",
    "# Should PyMISP verify the MISP certificate\n",
    "misp_verifycert = False"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Getting the API key (automatically generated on the trainig VM)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "from pathlib import Path\n",
    "\n",
    "api_file = Path('apikey')\n",
    "if api_file.exists():\n",
    "    misp_url = 'http://127.0.0.1'\n",
    "    misp_verifycert = False\n",
    "    with open(api_file) as f:\n",
    "        misp_key = f.read().strip()\n",
    "    print(misp_key)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Initialize PyMISP"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "from pymisp import ExpandedPyMISP, PyMISP\n",
    "\n",
    "misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)\n",
    "misp_old = PyMISP(misp_url, misp_key, misp_verifycert)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Creating a MISP Event"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Directly"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "event = misp.new_event(distribution=1,\n",
    "               threat_level_id=1,\n",
    "               analysis=1,\n",
    "               info=\"Event from notebook\")\n",
    "print(\"Event id: %s\" % event.id)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "event = misp_old.new_event(distribution=1,\n",
    "               threat_level_id=1,\n",
    "               analysis=1,\n",
    "               info=\"Event from notebook\")\n",
    "print(\"Event id: %s\" % event['Event']['id'])"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Using the MISPEvent constructor"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "from pymisp import MISPEvent\n",
    "\n",
    "event_obj = MISPEvent()\n",
    "event_obj.distribution = 1\n",
    "event_obj.threat_level_id = 1\n",
    "event_obj.analysis = 1\n",
    "event_obj.info = \"Event from notebook 2\"\n",
    "event = misp.add_event(event_obj)\n",
    "event_id = event.id\n",
    "print(\"Event id: %s\" % event_id)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Fetching a MISP Event"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "# Fetch by ID\n",
    "event = misp.get_event(event_id)\n",
    "print(event)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "# Fetch by ID\n",
    "event = misp_old.get_event(event_id)\n",
    "print(event)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Adding Attribute to an event"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Adding directly"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "attr_type = \"ip-src\"\n",
    "value = \"8.8.8.8\"\n",
    "category = \"Network activity\"\n",
    "to_ids = False\n",
    "proposal = False\n",
    "updated_event = misp.add_named_attribute(event,\n",
    "                                 attr_type,\n",
    "                                 value,\n",
    "                                 category=category,\n",
    "                                 to_ids=to_ids,\n",
    "                                 proposal=proposal)\n",
    "print(updated_event)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Using the MISPAttribute constructor"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "from pymisp import MISPAttribute\n",
    "\n",
    "# Attribute data already defined\n",
    "attribute = MISPAttribute()\n",
    "attribute.type = attr_type\n",
    "attribute.value = value\n",
    "attribute.category = category\n",
    "attribute.proposal = proposal\n",
    "print(attribute)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "# An attribute can also be loaded directly from a JSON\n",
    "json = '''{\n",
    "    \"type\": \"ip-dst\",\n",
    "    \"value\": \"127.0.0.1\",\n",
    "    \"category\": \"Network activity\",\n",
    "    \"to_ids\": false,\n",
    "    \"proposal\": false\n",
    "    }'''\n",
    "\n",
    "attribute = MISPAttribute()\n",
    "attribute.from_json(json)\n",
    "print(attribute)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### And then, update the event"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {
    "scrolled": false
   },
   "outputs": [],
   "source": [
    "# Add the attribute to the event\n",
    "## Fetch the event from MISP\n",
    "event_dict = misp_old.get(event_id)['Event']\n",
    "\n",
    "## Convert it to a PyMISP Event\n",
    "event = MISPEvent()\n",
    "event.from_dict(**event_dict)\n",
    "\n",
    "## Add the attribute to the event\n",
    "event.add_attribute(**attribute)\n",
    "event.add_attribute(type='domain', value='circl.lu', disable_correlation=True)\n",
    "\n",
    "## Push the updated event to MISP\n",
    "event_dict = misp.update_event(event)\n",
    "print(event_dict)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "# New Python 3.6 API\n",
    "event = misp.get(event_id)\n",
    "\n",
    "## Add the attribute to the event\n",
    "event.add_attribute(**attribute)\n",
    "event.add_attribute(type='domain', value='circl.lu', disable_correlation=True)\n",
    "\n",
    "## Push the updated event to MISP\n",
    "event_dict = misp.update_event(event)\n",
    "print(event_dict)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Performing search"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Events by their info fields"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "result = misp.search_index(eventinfo='notebook')\n",
    "events = result['response']\n",
    "\n",
    "print('Found ', len(events), ' events!')\n",
    "for event in events:\n",
    "    print(event['id'], ':', event['info'])"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "results[0]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Attributes by their values"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Search in all attributes"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {
    "scrolled": true
   },
   "outputs": [],
   "source": [
    "# Search attributes (specified in controller) where the attribute type is 'ip-src'\n",
    "# And the to_ids flag is set\n",
    "attributes = misp.search(controller='attributes', type_attribute='ip-src', to_ids=0, pythonify=True)\n",
    "\n",
    "# Collect all event_id matching the searched attribute\n",
    "event_ids = set()\n",
    "for attr in attributes:\n",
    "    event_ids.add(attr.event_id)\n",
    "\n",
    "# Fetch all related events\n",
    "for event_id in event_ids:\n",
    "    event = misp.get_event(event_id)\n",
    "    print(event.info)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Creating and adding a MISP Object"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "from pymisp import MISPObject\n",
    "\n",
    "object_name = 'email'\n",
    "object_data = {\n",
    "    'from': 'admin@admin.test',\n",
    "    'to': 'admin@foo.bar',\n",
    "    'subject': 'An email',\n",
    "}\n",
    "\n",
    "# Create the MISP Object\n",
    "misp_obj = MISPObject(object_name)\n",
    "for obj_relation, value in object_data.items():\n",
    "    if obj_relation == 'subject':\n",
    "        misp_obj.add_attribute(obj_relation, value=value, comment='My fancy subject', disable_correlation=True)\n",
    "    else: \n",
    "        misp_obj.add_attribute(obj_relation, value=value)\n",
    "\n",
    "template_id = misp.get_object_template_id(misp_obj.template_uuid)\n",
    "\n",
    "# Add the object to MISP\n",
    "response = misp.add_object(event_id,\n",
    "                           template_id,\n",
    "                           misp_obj)\n",
    "print('Event ID', event_id)\n",
    "print(response)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Direct call, no validation"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "# The URL of the MISP instance to connect to\n",
    "#misp_url = 'http://127.0.0.1:8080/'\n",
    "# Can be found in the MISP web interface under \n",
    "# http://+MISP_URL+/users/view/me -> Authkey\n",
    "#misp_key = 'BSip0zVadeFDeolkX2g7MHx8mrlr0uE04hh6CQj0'\n",
    "# Should PyMISP verify the MISP certificate\n",
    "#misp_verifycert = False\n",
    "\n",
    "from pymisp import PyMISP\n",
    "\n",
    "misp = PyMISP(misp_url, misp_key, misp_verifycert)\n",
    "misp.direct_call('attributes/add/58', {'type': 'ip-dst', 'value': '8.11.8.8'})"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "# The URL of the MISP instance to connect to\n",
    "misp_url = 'http://127.0.0.1:8080/'\n",
    "# Can be found in the MISP web interface under \n",
    "# http://+MISP_URL+/users/view/me -> Authkey\n",
    "misp_key = 'fk5BodCZw8owbscW8pQ4ykMASLeJ4NYhuAbshNjo'\n",
    "# Should PyMISP verify the MISP certificate\n",
    "misp_verifycert = False\n",
    "\n",
    "from pymisp import PyMISP\n",
    "\n",
    "misp = PyMISP(misp_url, misp_key, misp_verifycert)\n",
    "misp.direct_call('attributes/add/2167', '{\"type\": \"ip-dst\", \"value\": \"8.8.8.9\"}')"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "# The URL of the MISP instance to connect to\n",
    "#misp_url = 'http://127.0.0.1:8080/'\n",
    "# Can be found in the MISP web interface under \n",
    "# http://+MISP_URL+/users/view/me -> Authkey\n",
    "#misp_key = 'fk5BodCZw8owbscW8pQ4ykMASLeJ4NYhuAbshNjo'\n",
    "# Should PyMISP verify the MISP certificate\n",
    "#misp_verifycert = False\n",
    "\n",
    "from pymisp import PyMISP\n",
    "\n",
    "misp = PyMISP(misp_url, misp_key, misp_verifycert)\n",
    "misp.direct_call('events')"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": []
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": "Python 3",
   "language": "python",
   "name": "python3"
  },
  "language_info": {
   "codemirror_mode": {
    "name": "ipython",
    "version": 3
   },
   "file_extension": ".py",
   "mimetype": "text/x-python",
   "name": "python",
   "nbconvert_exporter": "python",
   "pygments_lexer": "ipython3",
   "version": "3.7.3"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 2
}
